Re: Strange Folders

From: x y (levinson_k@despammed.com)
Date: 02/20/03

• Next message: Keith W. McCammon: "Re: unencrypted message"
• Previous message: x y: "Re: How do I block unwanted sites in the Proxy Server."
• In reply to: Atrax _: "Re: Strange Folders"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "x y" <levinson_k@despammed.com>
Date: Thu, 20 Feb 2003 08:47:53 -0500

Well, IMHO anonymous FTP access is safe and probably best in many situations
as it doesn't pass passwords in clear text across the network. You do want
to uninstall IIS FTP services if they are not needed, or make sure the
anonymous user [usually the IUSR account by default] does not have both read
and write permission to any one folder.

Also, installing patches is not enough to secure your server. There are
also some configuration changes you need to make and files to be deleted.
More info here:

http://securityadmin.info/faq.htm#harden [deleting the posix subsystem here
would have prevented the folder from being so hard to delete]
http://securityadmin.info/faq.htm#re-secure
http://securityadmin.info/faq.htm#hacked [try to discover dangerous back
doors installed on your computer.. if you find some, you may want to format
and reinstall everything for best security]
http://securityadmin.info/faq.htm#ftpfolders [more information and methods
on this attack and how to delete the folders]
http://securityadmin.info/faq.htm#iislogs2
http://securityadmin.info/faq.htm#iislogs

If this hacking was done because the FTP anonymous user was left with too
many permissions, that is not as severe an intrusion as, say, someone
remotely executing commands on your system using an IIS www service buffer
overflow vulnerability. If these had been run on your system, you should
check for evidence of these in your www logs using the last two links above.

Above all, I would recommend investigating to learn how this was done so
that you can check other systems for intrusion, try to determine what
exactly was done to your system, and be sure not to make the same mistake
again. Formatting and reinstalling Windows doesn't help your security if
you don't fix all the holes the second time around.

"Atrax _" <anonymous@devdex.com> wrote in message
news:OApB9KI2CHA.1904@TK2MSFTNGP10.phx.gbl...
> http://rtfm.atrax.co.uk/infinitemonkeys/articles/iis/990.asp
>
>
> and patch your server, and disable anonymous FTP access.

---

• Next message: Keith W. McCammon: "Re: unencrypted message"
• Previous message: x y: "Re: How do I block unwanted sites in the Proxy Server."
• In reply to: Atrax _: "Re: Strange Folders"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: FTP users and their Websites, security ? ... "You need to allow anonymous FTP access to the web folder? ... changes to his website. ... (microsoft.public.inetserver.iis.ftp) Re: FTP users and their Websites, security ? ... "You need to allow anonymous FTP access to the web folder? ... >changes to his website. ... >restrict access to the FTP Virtual Folder then I'm restricting also the Web ... do you need anonymous FTP access at all? ... (microsoft.public.inetserver.iis.ftp) admin user gets access denied, no security tab on folder ... I allowed anonymous FTP access to my system ... non-renameable folder in the ftproot/upload dir on my ... The folder does not have a sharing/security tab, ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)